About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

November 10, 2014

Virtual Currency Environment Still Fluid after Latest Rulings

The end of October was filled with multiple news-grabbing headlines reflecting the growing fears of Ebola, the exciting seven-game World Series, and the release of the first-ever college football playoff rankings. The launch of ApplePay also saw its fair share of headlines, but one piece of payments-related news might have flown a bit under the radar. On October 27, the United States Department of Treasury's Financial Crime Enforcement Network (FinCEN) issued two virtual currency administrative rulings stemming from its March 2013 guidance on regulations to persons administering, exchanging, or using virtual currencies.

The first administrative ruling involves a virtual currency trading platform that matches its customers' buy-and-sell orders for currencies. The company requesting this ruling stated that they operated the trading platform only and were not involved with money transmissions between it and any counterparty. FinCEN determined that money transmission does, in fact, occur between the platform operator and both the buyer and seller. Consequently, FinCEN said that this company and other virtual currency trading platform operators should be considered "exchangers" or "operators" and required to register as money transmitters subject to Bank Secrecy Act (BSA) requirements.

The second administrative ruling involves a company that enables virtual currency payments to merchants. This company receives payment in fiat currency from the buyer (or consumer) but transfers an equivalent amount of virtual currency to the seller (or merchant) using its own inventory of virtual currency to pay the merchant. This particular company asserted that it wasn"t an "exchanger" since it wasn't converting fiat currency to virtual currency because it was using its own reserve of virtual currency to pay merchants. However, FinCEN determined that this company, and similar companies, is a money transmitter because it accepts fiat currency from one party and transmits virtual currency to another party.

These two rulings confirm that if a virtual currency-related company's services allow for the movement of funds between two parties, that company will be viewed as a money transmitter and will be subject to BSA requirements as a registered money transmitter. As financial institutions consider business relationships with these types of companies, they should make sure that these companies are registered as money transmitters and have BSA programs in place.

The virtual currency regulatory environment continues to be fluid. For example, in his recent comments at the Money 2020 Conference, Benjamin Lawsky, superintendent of the New York Department of Financial Services, suggested that his office will soon be releasing its second draft of a proposed framework for virtual currency business operating in New York. Portals and Rails will continue to monitor this regulatory environment at the state and federal level.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 14, 2014

Mobile Biometrics: Ready or Not, Here They Come

Apple's recent announcement about the release of its mobile wallet app—called Apple Pay—energized the mobile payments community. One reason for the spike of interest is Apple Pay's use of fingerprint biometrics as an additional layer of security in validating customers and their transactions. What may have gotten a little a little lost in the chatter that followed this announcement was another, related announcement. As reported in a September 19 FinExtra story, MasterCard (MC) announced it had completed a pilot project that used a combination of facial and voice recognition on a smartphone. MC said that the trial program—which involved MC employees around the globe conducting 14,000 transactions—had a successful validation rate of 98 percent.

The Apple and MC announcements together certainly show that the future of the additional security options on smartphones looks promising. As a recent post noted, consumer research has consistently found that consumers' largest concern about using mobile phones for financial transactions is security. But are biometric technologies ready for prime time? Will their application in the payments ecosystem really give payment providers more confidence that the person they are dealing with is not an imposter?

The latest generations of Apple and Android smartphones are equipped with fingerprint scanners, cameras, and microphones, which allow for the use of fingerprint, voice, and facial recognition. But limitations exist for each of the techniques. The Apple and Android fingerprint readers, for example, were compromised within days of their initial release. And facial and voice recognition applications work best in controlled conditions of lighting and with limited background noise—an unlikely environment for a smartphone user on the go.

But security experts agree that additional customer authentication methodologies—beyond the common user ID and password entry fields—increase the overall authenticity of transactions. Numerous companies are continuing to focus their research and development efforts on improving the reliability and use of their authentication products. So while there is no "one size fits all" authentication solution over the weak and easily compromised ID-and-password method, these biometric methods represent a step forward, and are likely to improve over time.

The Retail Payments Risk Forum is taking a close look at biometrics technology and its impact on the payments system. We are working on a paper assessing biometrics and authentication methodologies that will probably be released by the end of the year. We're planning a forum to be held this upcoming spring on mobile authentication technologies. And we're continuing to write posts on the topic in Portals and Rails.

Please feel free to contact us with your suggestions on biometric issues you would like to see us address in our continuing efforts.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

October 06, 2014

Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

July 28, 2014

Where's the Mobile Payment?

I was a big fan of the '80s Wendy's commercials that featured an older woman uttering the phrase, "Where's the beef?" I recently found myself muttering something similar to myself: "Where's the mobile payment?" In early July, I came across the American Banker website headline "Six Fintech Startups That Wowed Bankers." The article highlighted six tech startups that recently pitched their financial products and services to executives from 15 of the largest banks at a one-day event. I was expecting to read about several mobile payment or mobile wallet startups, but surprisingly, none were mentioned.

According to the article's author, for a fintech startup to capture a banking executive's attention, it must address a need in the marketplace that few others are meeting. Could it be that the executives don't view mobile proximity payments as a customer need? I recently blogged about mobile payments fatigue and received some mixed feedback—but I heard little from our banking community readers. From a mobile payments perspective, they are extremely active in both person-to-person and bill payment initiatives. But outside of a few limited pilot programs, financial institutions have made little noise regarding mobile proximity payments or mobile wallets.

Given the prominent role financial institutions are playing in mobile payments through person-to-person and bill payments, why aren't they actively participating in proximity payments at retailers? Are they failing to meet the needs of their customers? According to the J.D. Power 2014 Retail Banking Study, customer satisfaction with banks is at an all-time high. And though the study found that some banks are falling short of meeting their customers' needs, the large banks covered in the survey experienced a significant rise in customer satisfaction scores, leading me to believe these banks are doing as good of a job as ever in listening to their customers and fulfilling their needs.

Is it possible that there isn't currently a driving consumer need for banks to deliver a mobile proximity payment or mobile wallet solution? My colleague Dave Lott suggested earlier this year that for mobile adoption to take place, the experience needs to follow Andy Grove's 10x rule and be 10 times better than what consumers are used to. What do you think it will take to catch the eyes of banking executives in the mobile proximity payments space?

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

March 03, 2014

An Efficient Mobile P2P Payment: The Paper Check

Having had the chance to spend some time reviewing the 2013 Federal Reserve Payments Study, I was struck by the lasting power of the check in the consumer-to-consumer (or P2P) space. Although overall check usage has declined (checks written by businesses and by consumers to businesses have all declined significantly), check usage in the P2P space increased between 2006 and 2009 and was stable from 2009 to 2012. And this has occurred when the number of bank and nonbank mobile P2P payment solutions that have entered the marketplace or matured during the past few years.

As a parent of two young children, I have acquired ample experience in the P2P payments space—that is, in paying babysitters. As a self-proclaimed payments geek, I am always interested in learning how the babysitter prefers to be paid. Cash remains king with most, at least the high school-aged ones. We have one college-aged sitter who likes being paid through a nonbank P2P payment provider. And most recently, another college-aged sitter wanted to be paid by check, which really caught me off guard. She informed me that she uses her mobile banking app to process her checks through mobile remote deposit capture (RDC) and that she prefers having access to the funds through her debit card over cash. The amazing thing that has struck me from these weekly transactions is the efficiency of this P2P payment transaction.

If the babysitter makes the mobile deposit before 9 p.m. (ET), she has access to the funds the following day. If after 9 p.m. , the funds are available to her in two days. On my end, the transaction appears in my banking activity the morning following the deposit. Talk about efficient—fast and inexpensive (no fees paid by either of us)!

Obviously, the efficiency of this transaction would have been diminished were this not a face-to-face transaction. And maybe that is where the true value of online or mobile P2P payments comes into play. However, the resilient check and mobile RDC banking application worked really well in this face-to-face setting. According to a recent report, mobile RDC was offered by approximately 20 percent of U.S. banks in 2013, up from 7 percent at the end of 2012. As more financial institutions roll out the offering in the upcoming year, maybe it will be the case that the old paper check is here to stay and will flourish in the P2P payments space. And based on my experience, that might not be a bad thing!

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

July 15, 2013

In Memory of a Beloved Colleague: Protecting Your Bank Account

This repost of a blog post, originally published on April 8, 2013, is in memory of our beloved colleague and friend, Michelle Castell. Michelle died earlier this month after a long and courageous battle against cancer. The blog summarizes a white paper Michelle wrote earlier this year concerning online account takeovers, a topic that is still timely. Michelle was new to the world of payments when she joined the Retail Payments Risk Forum in mid-2012. In her enthusiasm to learn about payments, she experimented with different payment types and channels to gain a personal understanding of how they work and the risks they pose. Michelle was immediately intrigued and concerned by the account takeover risks posed to consumers and businesses from the alarming growth of malware on mobile phones. It was through her personal and enthusiastic approach to her work that Michelle became an advocate for improved consumer education when it comes to payments security—which is the conclusion of this post and her account takeover white paper. You can find a link to the white paper at the end of the post.

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer.
Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

Install a certified virus application on all family devices and set them to run weekly (many good options are free).

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

July 01, 2013

The Cost of "Free"

Many retail-centric banks have found themselves in a fee-revenue dilemma as the impact of regulations regarding overdraft fees and debit card interchange revenue begins to be felt. After decades of providing "free" services to consumers, these banks are under significant customer pressure to continue this practice even as they roll out new products and services. But this pricing model poses financial risk. The operating expenses of the bank are increasing at the same time that the banks are receiving minimal—if any—incremental revenue.

I recently participated in a conference that had a session comprised of a panel of four MBA students. The goal of the session was for the audience of bankers to better understand the driving forces for financial service decisions by the Gen Y, or millennial, customer. (I wrote a bit about this panel in a previous post.) One eye-opening statement universally shared by the panel was the expectation that mobile banking and mobile banking services be provided free of charge. When asked for a justification, they believe that by using the mobile channel they "saved" the bank money over writing a check or going into a branch office. When further questioned as to how the bank was going to pay for the development and operating expenses of such new products and services, their response was essentially that they believe the bank earns sufficient revenue from its lending operations, including credit cards and installment and mortgage loans. I am sure that many other consumer segment groups have this attitude as well.

After Regulation II capped debit card interchange fees for banks with assets exceeding $10 billion, some banks announced they would begin charging a monthly debit card fee. Consumer and media response was so negative that banks withdrew the proposed fee changes. Subsequently, many banks changed their checking account service fee waiver conditions by raising minimum balance requirements, requiring other account relationships (to provide additional revenue support), or eliminating some previously bundled services. The Bankrate 2012 Checking Survey found that only 39 percent of banks were offering free checking without a minimum balance requirement or maintenance fee. This percentage is down from 45 percent in 2011 and 76 percent in 2009. Credit unions have not followed suit—the number of them offering free checking is holding fairly steady at around 72 percent.

Is there anything banks can do to shift consumers' expectations and ease some of the financial risk associated with controlling operating expense levels? We would like to hear from you.

By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

May 13, 2013

Which Is Riskier, Change or Avoiding It?

There is no denying that any level of change brings with it some level of risk. However, sometimes avoiding change can result in even greater risk. That is the quandary many retail banks find themselves in today as they grapple with the issues of mobile banking and payments and their role in the bank's overall delivery-channel strategy. Sustainability and regeneration are principles normally associated with the community development and environmental arenas, but they can be easily applied to the banking industry and its consumer delivery channels.

Numerous research studies document a large gap in banking attitudes and product or channel usage between the Gen Y or millennial customers and the older customer segments (those who are over 35, if you consider that old). (The Retail Payments Risk Forum discussed some of this research in a paper posted on our website in April.) Younger customers have less loyalty to bank brand, readily adopt new technology, are highly influenced by advertising and peers, expect free or low-cost banking products and services, and are driven by convenience. While they do have a higher overall trust level of banks compared to nonbanks, the gap is not anywhere near as large as that of the older customer segment. The younger segments have eagerly adopted online and mobile banking and are viewed as the early adopters of mobile payments. In fact, when they select a financial institution, the quality and expansiveness of the mobile banking offering is a major factor in their decision.

So what does this changing landscape have for the future of the traditional brick-and-mortar-branch delivery channel? For some time, banks have tried to establish branches primarily as sales centers while moving basic service transactions to alternative automated, less-expensive delivery channels. This effort will continue, but banks must also regenerate their overall delivery-channel strategy to provide sales and service capabilities through virtual channels in order to attract and retain the growing Gen Y customer segment. This regeneration and sustainability effort involves the "right sizing" of each channel to provide their existing and future customers with the appropriate level of services and features as well as capacity to meet service quality goals. Not only will this effort require risk assessments to be continually made for each delivery channel, but also to develop a holistic risk assessment of each customer across all delivery channels.

Let us know what changes, if any, you are making in your overall delivery-channel strategy to address the changing demographics of existing and potential bank customers.

By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

April 08, 2013

Can These Three Steps Protect Your Bank Account?

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer.
Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

Install a certified virus application on all family devices and set them to run weekly (many good options are free).

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

March 25, 2013

What's Next in Mobile Payments?

I recently participated in two banking conferences that displayed the full spectrum of strategic options and plans of banks regarding mobile payments. The first event was the annual operations/technology conference of a statewide bankers' association with all the attendees being small- to mid-sized community banks. All these banks currently offer an online banking application to their customers; about half of these have customized their online banking application for mobile device usage. Only one bank indicated they had a mobile payments application currently in operation. I was surprised to find that only a couple other banks planned to offer a mobile payments application within the next 12–18 months.

Later in the day, a panel of four MBA graduate students from a prestigious business school of a private southeastern university gave their views on mobile payments. The objective of this panel was to help the bankers understand the key drivers of this demographic's banking relationships and needs. All four panel members indicated they frequently accessed their banks' online banking services with their mobile devices as well as their laptops and tablets. They also unanimously stated they would switch financial institutions if the banks didn't offer the service or if they began charging a fee for the service. Interestingly, only one panelist used the mobile payments application from his bank, and his usage was infrequent. The reasons the panel members gave for their disinterest in mobile payments included difficulty of use of a mobile phone versus a laptop or tablet for bill payment or little need for the service because they found their existing payment methods to be as or more convenient.

At the Bank Administration Institute's (BAI) Payments Connect 2013 conference the following week, a featured track of the two-and-a-half-day event was the wide range of marketing, operational, risk, and technology issues related to mobile banking and payments. The prognosis for mobile payments couldn't have been more optimistic, with a number of panelists declaring that the tipping point for mobile payments had been realized earlier in the year. They credited the adoption rate for smartphones and other indicators they believed to be key drivers. Of course, we have to realize that many expressing such optimism worked for a company that has a vested interest in the success of mobile payments. However, that optimism was supported by a number of research studies delivered during the conference that concluded that the rate of smartphone penetration, the growing volume of mobile payment transactions, and overall consumer attitudes would translate to successful mobile payments programs.

One of the questions bankers frequently asked during the BAI conference was what a panelist would recommend the bank do regarding their mobile payments strategy. While there were some slight variations, panelists consistently responded that banks should get involved now and try a number of different, small-scale strategies. Several panelists used the gambling analogy of placing a distributed number of bets of small amounts rather than going "all in" with one particular mobile payments scheme. They acknowledged that the technology winner(s) of mobile payments was far from certain at this point, with near field communication, QR codes, and cloud options all in different states of adoption and each with their individual advantages and disadvantages.

The practice of "spreading your bets" is certainly a valid risk management strategy, but how practical is such a strategy for small financial institutions? The large banks have their research-and-development budgets, IT development staff, and other resources that allow them to participate in multiple pilot programs, but smaller institutions do not have such resources. Most would be able to offer only a mobile payments program supported by their core application processing provider.

As with many new payment products in the past, larger banks have led the initial efforts, and the smaller banks followed suit after customer demand for the service became more certain and with the realization that not offer the service would put them at a competitive disadvantage. Could this be the reason many banks, especially the smaller ones, have been sitting on the sidelines for now until the mobile payments picture becomes a bit clearer? Let us know what you think.

By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.